firewall.paloalto
Introduction
The tags beginning with firewall.paloalto identify events generated by Palo Alto Networks Firewall.
Tag structure
The full tag must have at least three levels. The first two are fixed as firewall.paloalto. The third level identifies the event's log type and will be determined dynamically by the rule you define on the Devo Relay. The fourth element is only used in some specific cases.
Technology | Brand | Type | Subtype |
---|---|---|---|
firewall | paloalto |
| The tag levels below are only used with firewall.paloalto.config This is used to indicate the parser version. Depending on the Palo Alto firewall version used by each client, some fields can arrive in a different order, so we need to add this tag level to indicate the parser version. The possible values are:
The tag level below is only used with firewall.paloalto.traffic, firewall.paloalto.system and firewall.paloalto.threats These tables allow sending events in LEEF format instead of the default CSV format. To indicate this, all logs must have an additional tag level (leef). |
Therefore, the valid tags are:
firewall.paloalto.config
- firewall.paloalto.config.v1
- firewall.paloalto.config.v2t
- firewall.paloalto.config.v3
firewall.paloalto.system
firewall.paloalto.threat
firewall.paloalto.traffic
firewall.paloalto.correlation
firewall.paloalto.hipmatch
firewall.paloalto.url
firewall.paloalto.userid
- firewall.paloalto.traffic.leef
- firewall.paloalto.system.leef
- firewall.paloalto.threats.leef
For more information, read more about Devo tags.
How is the data sent to Devo?
Since there is no facility for applying the Devo tag in the source system, the events should be forwarded to a Devo Relay to be identified, tagged, and forwarded securely to the Devo Cloud.
You will need to define a relay rule that can correctly identify the event type and apply the corresponding tag. The rule identifies the event's type by the source port that it was received on and by whether it matches a format defined by a regular expression. When the source conditions are met, the relay will apply a tag that begins with firewall.paloalto. A regular expression in the Source data field describes the format of the event data. Data is extracted from the event and used to create the third tag level.
Define the rule using the following values (the port number can be any free port on your relay):
Relay rule 1 - CSV events
- Source port → 13004
- Source data → ^[^,]+,[^,]+,[^,]+,([^,]+)
- Target tag → firewall.paloalto.\\D1
- Check the Sent without syslog tag and Stop processing checkboxes
Definying a relay rule with a tag with four levels
If you need to use a relay rule with a tag that includes the fourth level, you must indicate it in the Target tag field. For example, if you need to indicate v2, the target tag would be firewall.paloalto.\\D1.v2
Relay rule 2 - LEEF events
- Source port → 13004
Source data → LEEF:(?:[^\|]+\|){4}([^\|]+)\|
If events are sent using Cortex Data Lake, the required regex for this field would be the following: LEEF:(?:[^|]+|){6}.cat=(
- Target tag → firewall.paloalto.\\D1.leef
- Check the Sent without syslog tag and Stop processing checkboxes
Palo Alto Firewall configuration
In Pan-OS, you will need to create a Syslog Server Profile for your Devo Relay, as well as the necessary Log Forwarding Profiles and Security Policy Rules. See the vendor documentation for instructions.
If you want to send your Palo Alto firewall events to a Devo relay that resides in a different network, check out the article about sending events to the Devo relay using SSL.
Log samples
The following are sample logs sent to each of the firewall.paloalto tags. Also, find how the information will be parsed in your data table under each sample log.
Extra columns
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.
firewall.paloalto.traffic.leef
2021-03-09 11:39:49.860 localhost=127.0.0.1 firewall.paloalto.traffic.leef: LEEF:2.0|Palo Alto Networks|LF|2.0|TRAFFIC| |TimeReceived=2021-03-09T11:23:14.000000Z DeviceSN=012001012124 EventID=TRAFFIC cat=end ConfigVersion=9.0 devTime=2021-03-09T11:23:02.000000Z src=192.168.1.195 dst=3.232.0.203 srcPostNAT=211.24.95.14 dstPostNAT=3.232.0.203 Rule=LAN-WAN_AllowAD usrName="jumpcloud.com\\chuwong" DestinationUser= Application=ssl VirtualLocation=vsys1 FromZone=LAN ToZone=WAN_TIME InboundInterface=ethernet1/4 OutboundInterface=ethernet1/2 LogSetting=Log-Forwarding SessionID=113464 RepeatCount= srcPort=56354 dstPort=443 srcPostNATPort=27427 dstPostNATPort=443 proto=tcp Action=allow Bytes=8298 srcBytes=3489 dstBytes=4809 totalPackets=26 SessionStartTime=2021-03-09T11:22:36.000000Z SessionDuration=11 URLCategory=computer-and-internet-info SequenceNo=887767286 SourceLocation=192.168.0.0-192.168.255.255 DestinationLocation=US srcPackets=1 dstPackets=11 SessionEndReason=tcp-rst-from-server DGHierarchyLevel1=0 DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0 VirtualSystemName= DeviceName=pan-ml-kl ActionSource=from-policy SourceUUID= DestinationUUID= IMSI=0 IMEI= ParentSessionID=0 ParentStarttime=1970-01-01T00:00:00.000000Z Tunnel=N/A EndpointAssociationID=0 ChunksTotal=0 ChunksSent=0 ChunksReceived=0 RuleUUID=e97a0d84-24e4-4556-ae9d-32dc0fbd59be HTTP2Connection=0 LinkChangeCount= SDWANPolicyName= LinkSwitches= SDWANCluster= SDWANDeviceType= SDWANClusterType= SDWANSite= DynamicUserGroupName= X-Forwarded-ForIP= SourceDeviceCategory= SourceDeviceProfile= SourceDeviceModel= SourceDeviceVendor= SourceDeviceOSFamily= SourceDeviceOSVersion= SourceDeviceHost= SourceDeviceMac= DestinationDeviceCategory= DestinationDeviceProfile= DestinationDeviceModel= DestinationDeviceVendor= DestinationDeviceOSFamily= DestinationDeviceOSVersion= DestinationDeviceHost= DestinationDeviceMac= ContainerID= ContainerNameSpace= ContainerName= SourceEDL= DestinationEDL= GPHostID= EndpointSerialNumber= SourceDynamicAddressGroup= DestinationDynamicAddressGroup= HASessionOwner= TimeGeneratedHighResolution= NSSAINetworkSliceType= NSSAINetworkSliceDifferentiator= devTimeFormat=YYYY-MM-DDTHH:mm:ss.SSSSSSZ
And this is how the logs would be parsed:
Field | Value | Type | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
|
| ||
machine |
|
| ||
future_use_1 |
|
| ✓ | |
createdate |
|
| ✓ | |
timestamp |
|
| createdate | |
recvdate |
|
| ||
serial |
|
| ||
logType |
|
| ✓ | |
subType |
|
| ||
confVer |
|
| ✓ | |
srcIp |
|
| ||
dstIp |
|
| ||
srcXIp |
|
| ✓ | |
dstXIp |
|
| ✓ | |
srcNatIp |
|
| srcXIp | |
dstNatIp |
|
| dstXIp | |
rule |
|
| ||
srcUser |
|
| ||
dstUser |
|
| ||
app |
|
| ||
virtSys |
|
| ||
srcZone |
|
| ||
dstZone |
|
| ||
srcIface |
|
| ||
dstIface |
|
| ||
logAction |
|
| ||
logdate |
|
| ✓ | |
session |
|
| ||
repCnt |
|
| ||
srcPort |
|
| ||
dstPort |
|
| ||
srcXPort |
|
| ✓ | |
dstXPort |
|
| ✓ | |
srcNatPort |
|
| srcXPort | |
dstNatPort |
|
| dstXPort | |
flags |
|
| ||
proto |
|
| ||
action |
|
| ||
bytes |
|
| ||
sentBytes |
|
| ||
recvBytes |
|
| ||
pkts |
|
| ||
startdate |
|
| ||
elapsedTime |
|
| ||
category |
|
| ||
seqno |
|
| ||
srcCountry |
|
| ||
dstCountry |
|
| ||
cpadding |
|
| ||
sentPkts |
|
| ||
recvPkts |
|
| ||
session_end_reason |
|
| ||
dg_hier_level_1 |
|
| ||
dg_hier_level_2 |
|
| ||
dg_hier_level_3 |
|
| ||
dg_hier_level_4 |
|
| ||
vsys_name |
|
| ||
device_name |
|
| ||
action_source |
|
| ||
srcVMuuid |
|
| ||
dstVMuuid |
|
| ||
tunnelIDimsi |
|
| ||
monitorTagIMEI |
|
| ||
parentSessID |
|
| ||
parentStartTime |
|
| ||
tunnel |
|
| ||
sctpAssociationID |
|
| ||
sctpChunks |
|
| ||
sctpChunksSent |
|
| ||
sctpChunksReceived |
|
| ||
uuidForRule |
|
| ||
http2Connection |
|
| ||
client |
| vclient | ✓ | |
hostchain |
|
| ✓ | |
tag |
|
| ✓ | |
rawMessage |
|
| ||
rawSource |
|
| rawMessage | ✓ |
firewall.paloalto.system.leef
2021-03-11 15:28:01.062 localhost=127.0.0.1 firewall.paloalto.system.leef: LEEF:2.0|Palo Alto Networks|LF|2.0|SYSTEM| |LogTime=2021-03-11T15:28:00.000000Z LogSourceID=012001017258 EventID=SYSTEM cat=dhcp ConfigVersion=0.0 devTime=2021-03-11T15:27:40.000000Z VirtualLocation= EventName=lease-start EventComponent= VendorSeverity=Informational EventDescription=DHCP lease started ip 192.168.110.134 --> mac 86:9d:c5:ce:be:f1 - hostname Dees-iPhone, interface ethernet1/3.30 SequenceNo=6305112 DGHierarchyLevel1=0 DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0 VirtualSystemName= LogSourceName=pan-ml-nyc DeviceGroup= Template= TimeGeneratedHighResolution= devTimeFormat=YYYY-MM-DDTHH:mm:ss.SSSSSSZ
And this is how the logs would be parsed:
Field | Value | Type | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
|
| ||
machine |
|
| ||
future_use_1 |
|
| ✓ | |
timestamp |
|
| ||
recvdate |
|
| ||
serial |
|
| ||
logType |
|
| ✓ | |
subType |
|
| ||
future_use_2 | 0.0 |
| ✓ | |
vsys | null |
| ||
eventId | lease-start |
| ||
object | null |
| ||
future_use_3 |
| |||
future_use_4 |
| |||
module |
| |||
severity | Informational |
| ||
opaque | DHCP lease started ip 192.168.110.134 --> mac 86:9d:c5:ce:be:f1 - hostname Dees-iPhone, interface ethernet1/3.30 |
| ✓ | |
description | DHCP lease started ip 192.168.110.134 --> mac 86:9d:c5:ce:be:f1 - hostname Dees-iPhone, interface ethernet1/3.30 |
| opaque | |
actionflags |
| |||
dev_group_hierarchy_1 |
|
| ||
dev_group_hierarchy_2 |
|
| ||
dev_group_hierarchy_3 |
|
| ||
dev_group_hierarchy_4 |
|
| ||
virtual_sys_name |
|
| ||
device_name |
|
| ||
client |
| vclient | ✓ | |
hostchain |
|
| ✓ | |
tag |
|
| ✓ | |
rawMessage |
|
|
firewall.paloalto.threat.leef
2021-03-11 09:18:39.383 localhost=127.0.0.1 firewall.paloalto.threat.leef: LEEF:2.0|Palo Alto Networks|LF|2.0|THREAT| |TimeReceived=2021-03-11T09:18:37.000000Z DeviceSN=012001012124 EventID=THREAT cat=vulnerability ConfigVersion=9.0 devTime=2021-03-11T09:18:22.000000Z src=192.168.1.232 dst=140.82.114.3 srcPostNAT=211.24.95.14 dstPostNAT=140.82.114.3 Rule=LAN-WAN_AllowAD usrName= DestinationUser= Application=ssh VirtualLocation=vsys1 FromZone=LAN ToZone=WAN_TIME InboundInterface=ethernet1/4 OutboundInterface=ethernet1/2 LogSetting=Log-Forwarding SessionID=112575 RepeatCount=2 srcPort=50176 dstPort=22 srcPostNATPort=53783 dstPostNATPort=22 proto=tcp Action=drop FileName= ThreatID=SSH User Authentication Brute Force Attempt(40015) VendorSeverity=High DirectionOfAttack=client to server SequenceNo=154995599 SourceLocation=192.168.0.0-192.168.255.255 DestinationLocation=US PacketID=0 FileHash= ApplianceOrCloud= URLCounter=0 FileType= SenderEmail= EmailSubject= RecipientEmail= ReportID=0 DGHierarchyLevel1=0 DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0 VirtualSystemName= DeviceName=pan-ml-kl SourceUUID= DestinationUUID= IMSI=0 IMEI= ParentSessionID=0 ParentStarttime=1970-01-01T00:00:00.000000Z Tunnel=N/A ThreatCategory=brute-force ContentVersion=549329324 SigFlags=0x0 RuleUUID=e97a0d84-24e4-4556-ae9d-32dc0fbd59be HTTP2Connection=0 DynamicUserGroupName= X-Forwarded-ForIP= SourceDeviceCategory= SourceDeviceProfile= SourceDeviceModel= SourceDeviceVendor= SourceDeviceOSFamily= SourceDeviceOSVersion= SourceDeviceHost= SourceDeviceMac= DestinationDeviceCategory= DestinationDeviceProfile= DestinationDeviceModel= DestinationDeviceVendor= DestinationDeviceOSFamily= DestinationDeviceOSVersion= DestinationDeviceHost= DestinationDeviceMac= ContainerID= ContainerNameSpace= ContainerName= SourceEDL= DestinationEDL= HostID= EndpointSerialNumber= DomainEDL= SourceDynamicAddressGroup= DestinationDynamicAddressGroup= PartialHash= TimeGeneratedHighResolution= NSSAINetworkSliceType= devTimeFormat=YYYY-MM-DDTHH:mm:ss.SSSSSSZ
And this is how the logs would be parsed:
Field | Value | Type | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
|
| ||
machine |
|
| ||
future_use |
|
| ✓ | |
createdate |
|
| ✓ | |
timestamp |
|
| createdate | |
recvdate |
|
| ||
serial |
|
| ||
logType |
|
| ✓ | |
subType |
|
| ||
confVer |
|
| ✓ | |
srcIp |
|
| ||
dstIp |
|
| ||
srcXIp |
|
| ✓ | |
dstXIp |
|
| ✓ | |
srcNatIp |
|
| srcXIp | |
dstNatIp |
|
| dstXIp | |
rule |
|
| ||
srcUser |
|
| ||
dstUser |
|
| ||
app |
|
| ||
virtSys |
|
| ||
srcZone |
|
| ||
dstZone |
|
| ||
srcIface |
|
| ||
dstIface |
|
| ||
logAction |
|
| ||
logdate |
|
| ✓ | |
session |
|
| ||
repCnt |
|
| ||
srcPort |
|
| ||
dstPort |
|
| ||
srcXPort |
|
| ||
dstXPort |
|
| ||
srcNatPort |
|
| srcXPort | |
dstNatPort |
|
| dstXPort | |
flags |
|
| ||
proto |
|
| ||
action |
|
| ||
misc |
|
| ✓ | |
url_filename |
|
| misc | |
threatid |
|
| ||
category |
|
| ||
severity |
|
| ||
direction |
|
| ||
seqno | 154995599 |
| ||
actionflags |
|
| ||
srcloc |
|
| ||
dstloc |
|
| ||
cpadding |
|
| ||
contenttype |
|
| ||
pcadId |
|
| ||
pcapId |
|
| pcadId | |
fileDigest |
|
| ||
cloud |
|
| ||
urlIdx |
|
| ||
userAgent |
|
| ||
fileType |
|
| ||
xff |
|
| ||
referer |
|
| ||
sender |
|
| ||
subject |
|
| ||
recipient |
|
| ||
reportid |
|
| ||
dgHierLevel1 |
|
| ||
dgHierLevel2 |
|
| ||
dgHierLevel3 |
|
| ||
dgHierLevel4 |
|
| ||
vsysName |
|
| ||
deviceName |
|
| ||
future_use_1 |
|
| ✓ | |
srcVMuuid |
|
| ||
dstVMuuid |
|
| ||
httpMethod |
|
| ||
tunnelIDimsi |
|
| ||
monitorTagIMEI |
|
| ||
parentSessID |
|
| ||
parentStartTime |
|
| ||
tunnel |
|
| ||
thrCategory |
|
| ||
contentver |
|
| ||
future_use_2 |
|
| ✓ | |
sctpAssociationID |
|
| ||
payloadProtocolID |
|
| ||
httpHeaders |
|
| ||
urlCategoryList |
|
| ||
uuidForRule |
|
| ||
http2Connection |
|
| ||
client |
|
| vclient | ✓ |
hostchain |
|
| ✓ | |
tag |
|
| ✓ | |
rawMessage |
|
|
Related articles